It has been a big year for us here at FunCaptcha and next year looks to be even bigger! With all the milestones we’ve hit and are aiming to hit, we felt a quick recap was in order and what better way to do that than with a blog series? In this first installment, we’ll be going over some highlights of 2014 and then we’ll be outlining the direction of five future posts and their significance. To kick things off, here are some milestones we hit in 2014.

 Goodbye 2014


FClogo lock trophy
22,000 websites are now using FunCaptcha to protect their assets and their users from malicious attacks. 520,000,000+ of these very attacks have been blocked, averaging a rate of 14 attempts per second. We were recognized by Fairfax Media as one of the Top Five Australian startups to watch in 2015.


paintbrush multilingual
250+ clients have, upon request, received personalized FunCaptcha packages that championed their brand while providing the high level of security we’re becoming known for. We’ve begun rolling out multilingual support, packaging our first ever Thai and Bahasa Indonesian FunCaptcha packages for clients who requested it.

These milestones wouldn’t have been possible without the ongoing collaboration and passion shared by our ever growing client base so to them – thank-you. It’s a joy to provide peace of mind through enjoyment for you and your users and we look forward to doing so all through 2015 and beyond. But what of 2015? What’s next for FunCaptcha and our clients?

Hello 2015


Over the coming weeks, we’ll be steadily rolling out some of the biggest upgrades yet to FunCaptcha. The five key areas will include overhauled visuals, improved speed, adding an administrator dashboard, opening up potential revenue streams for clients and even providing analytics so each of our clients can see how their individual FunCaptcha package is performing.

Visual Overhaul Visual Overhaul

As each of these updates go live, so too will an accompanying blog post diving into a bit of detail to explain things like motivations behind each upgrade, what we hope to achieve with them and most importantly, how our clients (and their users!) will benefit. For those wanting some more insight into how we operate and what we’re about – you won’t get a better opportunity.

That’s all for now but stay tuned for updates as we say goodbye to 2014, hello to 2015 and most importantly – FunCaptcha 2.0.

Warm regards,

The FunCaptcha Team

Creators of the typed-in CAPTCHA are finally admitting what I’ve been saying for years now: CAPTCHAs cause huge problems. They drive away genuine users and let bots through. If you are a website operator, these CAPTCHAs lower the conversion rate of your online forms as your users get frustrated with twisty letters and leave, increasing the bounce rate of your signup or comment pages.

Recent attempts to kill the CAPTCHA have touted the use of a “black box”: a magical secret bit of code that sorts the users of your site into groups. If the user is put in the group deemed “probably not a bot”, they get no challenge, or one that is not very secure. If the user is put in the group deemed “probably a bot” or “not enough information to decide”, the user gets the old, nasty typed-in challenge that stops both bots and people from continuing.

This black box would be wonderful if it actually worked, but this idea seldom pans out, and I’ll try to explain why. As a website operator, you should ask some hard questions about any spam-blocking solution that relies on a black box.

Will the black box mistakenly treat genuine users as bots?

When the black box mistakenly sorts genuine users of your website into the group “probably a bot”, that is called a false positive. It’s like a medical test that mistakenly says a patient has a disease. Maybe the user’s IP address was used in the past by a bot. Maybe their system is compromised. Maybe they’ve gotten a lot of CAPTCHAs wrong in the past for their own legitimate reasons. Maybe the user was put into a “blacklist” database by mistake. They will probably never know why they are suspected as a bot, and never know how to fix it.

If a user of your site is sorted by the magical black box into the “bot” group, the user gets blocked entirely, or gets a CAPTCHA challenge just as nasty, frustrating, long, and difficult as ever– or even more so. Those users have a big chance of bouncing away from your site. And you’ll never know you lost them. Your site is like a hot-air balloon with a hole somewhere up there. Your signups and comments are not rising as fast as you think they should, but you don’t know where the leak is, or how to fix it.

Many developers are talking now about their bad experiences with the black box mistaking them for a bot, followed by impossible-to-solve puzzles. Their concerns are rising rapidly.

Will the black box mistakenly treat bots as genuine users?

When the black box mistakenly sorts a spambot visitor to your website into the group “probably not a bot”, that is called a false negative. It’s like a medical test that mistakenly says a sick patient is disease free. Maybe the black box is simply not very accurate. Maybe the bot has been deliberately written in a way to appear human. Maybe the bot is cleverly using the resources of a genuine user, like a ghost hovering over their shoulder. This all happens because spammers are determined, and bots can be adapted to fool the black box. The history of computing tells the story of this arms race over and over again, and the black box always loses.

If a bot visiting your site is sorted by the magical black box into the “genuine user” group, the bot gets no challenge, or a trivially easy challenge, such as ticking a box. It’s then very easy for the bot to pass that challenge, and get into your site free and clear. A bot that succeeds will usually signal this, and a torrent of bots will then come rushing in. Your site can get filled with spam overnight, taking weeks to clean up. Sometimes even the very creators of a black-box defense are getting hit with spam!

Again, many developers are talking now about how black boxes can be deeply analysed, which should allow spammers to design bots to get through the black box CAPTCHAs and create lots of spam on their sites.

Will the black box require users to use the internet a certain way?

When the black box sorts genuine users of your website into the group “not enough information to decide”, it has to assume the user is a clever bot, which creates all the problems of the false positive I described above. But why can’t the black box tell? You have to ask and experiment to figure out why. Many developers have already found this depends on the user’s browsing history, or  cookies, or on whether the user is logged into a particular service. As one developer put it, these black box CAPTCHAs are a good way to test how much a company knows about you. It can depend on whether the user is running particular anti-snooping software, or using a browser that’s not very common. You may find that your most interesting and valuable website visitors also happen to be the kind of people who resist using the internet in a conventional way. Why drive them away just because they are not doing what the black box wants them to do?

Even if you personally find all this a bit paranoid, you have to consider how to accommodate your customers who have these concerns. Many find it creepy to find on your site a chunk of code that relies on knowing a huge amount of information about your user– what this observer called the “panopticon” and this one called a “habit of overstepping the limits of what consumers will allow it to learn about them“. They see it as trojan code that can be updated and changed without your knowledge by a company that openly says that it wants to thoroughly track user behavior across the web.

What’s the alternative to the black box?

An alternative to a black box is a transparent box, aligned with the open source ideal. For example, our alternative solution FunCaptcha blocks spammers without resorting to a black box. FunCaptcha is open (if not quite open-source) about its inner workings, and if you try FunCaptcha for yourself you can probably figure it out anyway. At the heart of FunCaptcha is a visual puzzle that is impractical for spammers to attack. (I’ll post more about that later, and share the positive things that security experts have said about FunCaptcha’s approach– it’s a whole other fascinating subject.) FunCaptcha will change the nature of its challenge based on a user’s history, but most importantly, that judgment is easy for you to understand. Furthermore, even if that judgment produces a false positive or false negative, there’s no harm done. A bot mistaken as a genuine user will still get stopped, and a genuine user mistaken as a bot will still get a challenge that is quick and easy to solve. All this sidesteps the secretiveness that makes the black box approach vulnerable.

If a bot tries to randomly guess its way through FunCaptcha, its odds of getting through are low– much lower than the chances of a bot getting through a typed-in CAPTCHA. The IP address of the user may be suspect, because it is on the Stop Forum Spam list or it has gotten FunCaptcha more often wrong than right in the past. If the IP is suspect, the FunCaptcha challenge becomes a little longer– more images to turn the right way up, or faces to move into the middle. When that happens, FunCaptcha’s completion rate remains extremely high– far higher than the completion rate for typed-in CAPTCHAs– and fifteen seconds long on average. (You can see more about this on its page for performance metrics.)

If a user’s IP address has a clean history, and your site’s FunCaptcha security setting is “Automatic”, then the user will get a short challenge– it could be just one image to turn the right way up, or face to move to the middle. On average that short challenge takes less than five seconds to complete. FunCaptcha is slated for a feature that makes it even easier and faster for an IP that has gotten FunCaptcha correct a few times in a row. At the easiest level, the user will get a “free pass” challenge: one click, with no wrong answer. This will make FunCaptcha’s completion rate even higher, and let users through even faster. (By the way, if you want your site to never do all this, and be that much more careful about letting through bots that are randomly guessing the answer, you can make your FunCaptcha security setting “Always enhanced”. The completion rate will still be extremely high and users will still get through very quickly.)

To put it simply…

There is an alternative to the magical black box: a transparent process that the creator is happy to explain to you, or you can quickly figure out by playing with the solution yourself. Make sure that when a spam-blocker sorts a visitor correctly, bots get stopped and users get a very easy and fast challenge. Even if it sorts a visitor incorrectly, you should be assured that bots can’t get far, and genuine users get a quick challenge with an extremely high completion rate. Don’t rely on black-box solutions made by companies that track every aspect of a user’s behavior. Don’t take a chance that your users are being quietly categorized as bots and subjected to terrible typed-in CAPTCHAs, making them leave. Don’t take a chance that a clever botnet will be given trivial challenges, flooding your site with spam. Use a solution that does not rely on a black box.

eCards have been an incredibly useful, popular and often hilarious product since their inception in 1994. The first website ever, The Electric Postcard, went from only a dozen or so cards being sent to over 1.7 million after only one and a half years of operation. The model gained traction and various websites began to spring up, with a website called Blue Mountain Arts even being bought by Excite@Home for upwards of $780m in 1999, at the height of the “Dotcom Bubble”.

However, the security, integrity and potential future of the general eCard business model was thrown into question in 2007, when wave after wave of eCards were sent to random users across the globe, with the subject of “You’ve received a postcard from a family member!” Clicking these interactive eCards would direct users to websites that utilized Javascript to exploit a user’s browser or even include downloadable malware hidden in the eCards itself.

It was a pretty dark time for eCards.

Today, eCards have a wide variety of uses.  From simply wishing mom a Happy Birthday, to raising awareness – and even funds –  for social causes.

Yet the security concerns are still valid: the fundamental process by which an eCard is sent to users can (and is) exploited through automated software and even the manual input of random e-mails. The process usually occurs from the relevant website itself, which requires only your name, your e-mail, the e-mail you wish to send to, a delivery date and of course, the message itself. In June of this year, Symantec reported on an eCcard spam campaign that linked to a “get rich quick scheme” which even utilized a fake BBC news report in an attempt to confuse users and convince them of its legitimacy.

eCard sites need to protect their brands reputation by ensuring their users security. All it takes is for someone to receive one “dodgy” or negative eCard from a service and the experience is forever tainted. Rarely would anyone choose to open up another e-mail from an address or provider that has previously led to disastrous results. In fact they may never open another eCard again – regardless of the source.

FunCaptcha has a deep history in the eCard space, and can answer any questions that you might have on this topic.

The Foo Fighters, in an effort to promote their upcoming “Sonic Highways” US tour have launched a campaign against ticket scalpers called #BeatTheBots, which has moved their pre-sale tickets from online to physical purchasing from a fan’s nearest box office.

beat the bots billboard

Ticket scalpers have always been an issue for promoters and fans of live entertainment, but it’s the advent of online ticket sales that has allowed scalpers to take advantage of software that can bulk buy tickets for reselling. This automation allows one or two people to clog up the online ticket sales process with thousands of fake “customers” (aka Bots) to secure hundreds of tickets before any real customers can get access, meaning you and I are paying a premium for our tickets – if we can get them at all! So when we heard that the Foo Fighters had opted for a physical sales process instead of an online one, the music fan in us thought “Oh cool – that’s pretty retro!” but then the tech head in us realized “This is just wrong!”. To be clear – we love that the Foos are fighting back but just hate that they have to do it.

So, what to do? Well, the FunCaptcha team’s primary goal has always been to beat the bots but allow genuine customers through while also having fun. Traditional CAPTCHA’s are something no-one really enjoys but they’ve been a necessary evil – until now. We decided to put a quick custom FunCaptcha together for the Foo Fighters, just to give people a taste at what’s possible when they want to #BeatTheBots.


Congratulations to the Foo Fighters for taking the initiative and fighting back but we may have a better solution for them: use our service for any online ticket sales process. FunCaptcha has a >96% success rate for genuine humans while battling bots and spammers. This allows all fans the comfort and ease of purchase that online is known for, while ensuring scalper-bots get the middle finger they deserve.

Finally: we’re a bit TOO excited for them to be gracing Australian shores as part of their world tour, specifically Brisbane on Tuesday, 24th of February.

1 2 3 4 5
Our Clients